summaryrefslogtreecommitdiffstats
path: root/package/imlib2/0001-fix-CVE-2016-3994.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/imlib2/0001-fix-CVE-2016-3994.patch')
-rw-r--r--package/imlib2/0001-fix-CVE-2016-3994.patch71
1 files changed, 71 insertions, 0 deletions
diff --git a/package/imlib2/0001-fix-CVE-2016-3994.patch b/package/imlib2/0001-fix-CVE-2016-3994.patch
new file mode 100644
index 0000000000..bf28905216
--- /dev/null
+++ b/package/imlib2/0001-fix-CVE-2016-3994.patch
@@ -0,0 +1,71 @@
+From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
+From: Kim Woelders <kim@woelders.dk>
+Date: Sun, 3 Apr 2016 19:40:25 +0200
+Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.
+
+Bug-Debian: http://bugs.debian.org/785369
+Note: removes all special-casing from the inner loop, optimize for common case.
+Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
+Reported-By: Jakub Wilk <jwilk@debian.org>
+
+Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
+index 638df59..4f08d64 100644
+--- a/src/modules/loaders/loader_gif.c
++++ b/src/modules/loaders/loader_gif.c
+@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
+
+ if (im->loader || immediate_load || progress)
+ {
++ DATA32 colormap[256];
++
+ bg = gif->SBackGroundColor;
+ cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
++ memset (colormap, 0, sizeof(colormap));
++ if (cmap != NULL)
++ {
++ for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
++ {
++ r = cmap->Colors[i].Red;
++ g = cmap->Colors[i].Green;
++ b = cmap->Colors[i].Blue;
++ colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
++ }
++ /* if bg > cmap->ColorCount, it is transparent black already */
++ if (transp >= 0 && transp < 256)
++ colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
++ }
+ im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
+ if (!im->data)
+ goto quit;
+@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
+ {
+ for (j = 0; j < w; j++)
+ {
+- if (rows[i][j] == transp)
+- {
+- r = cmap->Colors[bg].Red;
+- g = cmap->Colors[bg].Green;
+- b = cmap->Colors[bg].Blue;
+- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
+- }
+- else
+- {
+- r = cmap->Colors[rows[i][j]].Red;
+- g = cmap->Colors[rows[i][j]].Green;
+- b = cmap->Colors[rows[i][j]].Blue;
+- *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
+- }
++ *ptr++ = colormap[rows[i][j]];
+ per += per_inc;
+ if (progress && (((int)per) != last_per)
+ && (((int)per) % progress_granularity == 0))
+--
+2.7.3
+
OpenPOWER on IntegriCloud